Blog

Incite 7/14/2010: Mello Yello

I’m discovering that you do mellow with age. I remember when I first met the Boss how mellow and laid back her Dad was. Part of it is because he doesn’t hear too well anymore, which makes him blissfully unaware of what’s going on. But he’s also mellowed, at least according to my mother in law. He was evidently quite a hothead 40 years ago, but not any more. She warned me I’d mellow too over time, but I just laughed. Yeah, yeah, sure I will.

But sure enough, it’s happening. Yes, the kids still push my buttons and make me nuts, but most other things just don’t get me too fired up anymore. A case in point: the Securosis team got together last week for another of our world domination strategy sessions. On the trip back to the airport, I heard strange music. We had rented a Kia Soul, with the dancing hamsters and all, so I figured it might be the car. But it was my iPad cranking music.

WTF? What gremlin turned on my iPad? Took me a few seconds, but I found the culprit. I carry an external keyboard with the iPad and evidently it turned on, connected to the Pad, and proceeded to try to log in a bunch of times with whatever random strings were typed on the keyboard in my case. Turns out the security on the iPad works – at least for a brute force attack. I was locked out and needed to sync to my computer in the office to get back in.

I had my laptop, so I wasn’t totally out of business. But I was about 80% of the way through Dexter: Season 2 and had planned to watch a few more episodes on the flight home. Crap – no iPad, no Dexter. Years ago, this would have made me crazy. Frackin’ security. Frackin’ iPad. Hate hate hate. But now it was all good. I didn’t give it another thought and queued up for an Angry Birds extravaganza on my phone.

Then I remembered that I had the Dexter episodes on my laptop. Hurray! And I got an unexpected upgrade, with my very own power outlet at my seat, so my mostly depleted battery wasn’t an issue. Double hurray!! I could have made myself crazy, but what’s the point of that?

Another situation arose lately when I had to diffuse a pretty touchy situation between friends. It could have gotten physical, and therefore ugly with long-term ramifications. But diplomatic Mike got in, made peace, and positioned everyone to kiss and make up later. Not too long ago, I probably would have gotten caught up in the drama and made the situation worse.

As I was telling the Boss the story, she deadpanned that it must be the end of the world. When I shot her a puzzled look, she just commented that when I’m the voice of reason, armageddon can’t be too far behind.

You can’t be half global… – Andy Grove (yeah, the Intel guy) started a good discussion about the US tech industry and job creation. Gunnar weighed in as well with some concerns about lost knowledge and chain of experience. I don’t get it. Is Intel a US company? Well, it’s headquartered in the US, but it’s a global company. So is GE. And Cisco and Apple and IBM and HP. Since when does a country have a scoreboard for manufacturing stuff? The scoreboard is on Wall Street and it’s measured in profit and loss. So big companies send commodity jobs wherever they find the best mix of cost, efficiency, and quality. We don’t have an innovation issue here in the US – we have a wage issue. The pay scales of some job functions in the US have gone way over their (international) value, so those jobs go somewhere else. Relative to job creation, free markets are unforgiving and skill sets need to evolve. If Apple could hire folks in the US to make iPhones for $10 a week, I suspect they would. But they can’t, so they don’t. If the point is that we miss out on the next wave of innovation because we don’t assemble the products in the US, I think that’s hogwash. These big companies have figured out sustainable advantage is moving out of commodity markets. Too bad a lot of workers don’t understand that yet. – MR

Tinfoil hats –Cyber Shield? Really? A giant monitoring project ? I don’t really understand how a colossal systems monitoring project is going to shield critical IT infrastructure. It may detect cyber threats, but only if they know what they are looking for. The actual efforts are classified, so we can’t be sure what type of monitoring they are planning to do. Maybe it’s space alien technology we have never seen before, implemented in ways we could never have dreamed of. Or maybe it’s a couple hundred million dollars to collect log data and worry about analysis later. Seriously, if the goal here is to protect critical infrastructure, here’s some free advice: take critical systems off the freaking’ Internet! Yeah, putting these systems on the ‘Net many years ago was a mistake because these organizations are both naive and cheap. Admit the mistake and spend your $100M on private systems that are much easier to secure, audit, and monitor. The NSA has plenty of satellites I am sure they can spare some bandwidth for power and other SCADA control systems. If it’s really a matter of national security to protect these systems, do that. Otherwise it’s just another forensic tool to record how they were hacked. – AL

Conflict of interest much? – Testing security tools is never easy, and rarely reflects how they would really work for you. Mike covered this one already, but it is, yet again, rearing its head. NSS Labs is making waves with its focus on “real world” antivirus software testing. Rather than running tools against a standard set of malware samples, they’ve been mixing things up and testing AV tools against live malware (social engineering based), and modifications of known malware. The live test gives you an idea of how well the tools will work in real life with actual users behind them. The modifications tests give you an idea of whether the tools will detect new variants of known attacks. Needless to say, the AV vendors aren’t happy and are backing their own set of “standards” for testing while disparaging NSS, except the ones who scored well. I realize this is how the world works, but it’s still depressing. – RM

Automating firewall ops – Speaking of product reviews, NetworkWorld published one this week on firewall operations tools. You know, those tools that suck in firewall configs, analyze them and maybe even allow you to change said firewalls without leaving a hole so big the Titanic could sail through? Anyhow, this still feels like a niche market even though there are 5 players in it, because you need to have a bunch of firewalls to take advantage of such a tool. Clearly these tools provide value but ultimately it comes back to pricing. At the right price the value equation adds up. Ultimately they need to be integrated with the other ops tools (like patch/config, SIEM/LM, etc.), since the swivel chair most admins use to switch between different management systems is worn out. – MR

Eternal breach – Although credit cards are time limited (they come with expiration dates), a lot of other personal information lives longer than you do. Take your Social Security Number or private communications… once these are lost in a breach, any breach, the data stays in circulation and remains sensitive. That’s why the single year of credit monitoring offered by most organizations in their breach response is a bad joke. The risk isn’t limited to a year, so this is a CYA gesture. Help Net Security digs into this often ignored problem. I don’t really expect things to get any better; our personal information is all over the darn place, and we are at risk as soon as it’s exposed once… from anywhere. I’m going to crawl back into my bunker now. – RM

Deals, Good ‘n’ Plenty – There is no stopping the ongoing consolidation in the security space. Last week the folks at Webroot bought a web filtering SaaS shop called BrightCloud. Clearly you need both email and web filtering (yeah, that old content thing), so it was a hole in Webroot’s move towards being a SaaS shop. Yesterday we also saw GFI acquire Sunbelt’s VIPRE AV technology. This seems like a decent fit because over time distribution leverage is key to ongoing sustainability. That means you need to pump more stuff into existing customers. And given the price set by Sophos’ private equity deal, now was probably a good time for Sunbelt to do a deal, especially if they were facing growing pains. Shavlik seems a bit at risk here, since they OEM Sunbelt and compete with GFI. – MR

E-I-eEye-Oh! – During the last economic downturn, the dot-com bust days of 2000, HR personnel used to love to call people ‘job hoppers’. “Gee, it seems you have had a new job every 24 months for the last 6 years. We are really looking for candidates with a more stable track record.” It was a lazy excuse to dismiss candidates, but some of them believed it. I think that mindset still persists, even though the average job tenure in development is shy of 21 months (much shorter for Mike!), and just slightly better for IT. Regardless, that was the first thing that popped into my head when I learned that Marc Maiffret has jumped ship from FireEye back to eEye. Dennis Fisher has a nice interview with Marc over at Threatpost. Feels like just a few weeks ago he joined FireEye, but as most hiring managers will tell you, team chemistry is as important as job skills when it comes to hiring. I was sad to see Marc leave eEye – was it four years ago? – to start Invenio. At the time eEye was floundering, and from my perspective product management was poorly orchestrated. I am sure the investors were unhappy, but Marc seemed to get a disproportionate amount of the heat, and eEye lost a talented researcher. The new management team over at eEye still has their hands full with this reclamation project, but Marc’s a good addition to their research team. If eEye seriously wants to compete with Qualys and Rapid7, they need all the help they can get, and this looks like a good fit for both the company and Marc. Good luck, guys! – AL

Low Hanging Fruit doesn’t need to be expensive – Fast, cheap, or secure. Pick two. Or so the saying goes, but that’s especially true for SMB folks trying to protect their critical data. It ain’t cheap doing this security stuff, or is it? The reality is that given the maturity of SaaS options, most SMB folks should be looking at outsourcing critical systems (CRM, ERP, etc.). And for those systems still in-house, as well as networks and endpoints, you don’t need to make it complicated. Dark Reading presents some ideas, but we have also written quite a bit on fundamentals and low hanging fruit. No, world class security is not low hanging fruit, but compared to most other SMB (and even enterprise-size) companies, covering the fundamentals should be good enough. And no, I’m not saying to settle for crap security, but focusing on the fundamentals, especially the stuff that doesn’t cost much money (like secure configurations and update/patch) can make a huge difference in security posture without breaking the bank. – MR

Contact

About

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization.